2 Replies Latest reply on Apr 24, 2016 8:34 AM by andy777

    Search on windows event id's

    ecan007

      When we search for events in McAfee Siem we have the signature id and the normalization ID.

      Now I am getting complaints not to use the signature id's but the normalization id's.

      The reason is that signature id's can change (how often coudl that be?).

      THe rpoblem with normalization is that it's usually not specific enough.

       

      In windows environments we have the windows events and I was wondering if we can search on windows events?

      Windows events are reliable but even more usefull, because you already know what you are looking for.

      Instead of generating events and looking for a signature of that event.

      I couldn't find it so far on how to do it.

        • 1. Re: Search on windows event id's
          davids15

          Not sure this is what your looking for:

           

          The windows events are mapped back to signature for example. If you take a look at the sig you will notice the last 3-5 numbers correspond to the windows event ID.

           

           

          43-263047400 - 4740: A user account was locked out


          The other suggestion would be to modify the Windows Parsers to capture the windows event ID into a searchable field and then you would be able to search the field for the event id.

          • 2. Re: Search on windows event id's
            andy777

            You're able to search for Windows Events directly from the Global Filter. As mentioned, you can decode and guess the Sig-ID for the Windows event, or you can click the Windows tab and enter the Event ID there. The challenge is that some Windows Event IDs aren't necessarily unique so this less than obvious method allows you to select the correct application that the ID is referring to.

            win-event-search.PNG